Today i’d like to discuss some interesting behavior we face with PIM-SM. I was implementing Multicast routing on a live environment, nothing really difficult i thought. Hub and spoke NBMA network (a DMVPN implementation) with a statically assigned RP. After applying all configs, including pim nbma-mode of course, things were not quite working and i couldn’t figured out why. Only the first packets was always delivered, and all traffic was delivered if i kept on using the shared tree disabling the switch over to the source tree with ip pim spt-threshold infinity. Why i was getting a bit crazy, things were supposed to work but they didn’t… so i decided to do what every network admin should do, and i definitely can say now, should do earlier! Use Wireshark! Make some packet capture and analyze the traffic.
To explain better what happened, let’s focus on the simple topology:
All routers are running EIGRP on all links, the RP is R1 and the RP address is R1′s loopback interface. The topology is so simple that an RPF failure would never happen. Multicast configuration is the same on every router and is visible in the picture.
Multicast traffic from sender to receiver is not properly delivered. The first packet is always delivered, the following were not. Configuring R4 to never switch over the source tree using ip pim spt-threshold infinity made communication possible. Read the rest of this entry »
It has been long time since my last post. I have been quite busy. The new job is all but what I expected. A lot of new things happened, including me passing the written exam. Now CCIE v5 is approaching and Dynamic Multipoint VPN is a new topic just added to the blueprint. Since I’ve been working with this kind of VPN for a while i decided that is about time to write a new blog post and try to explain the basic concepts and configurations.
Within the scope of the v5 curriculum, DMVPN will only have a single hub site and IPsec encryption will be pre-shared key based.
Read the rest of this entry »
While writing an article about QoS, I realized that i needed at clarify some of the terminology used. In particular I want to discuss first about the different ways to control the amount of traffic we send out or receive in a particular interface, especially in the case when the CIR we contracted is less than the physical speed of our interface. I’m talking about Shaping and Policing.
Shaping and policing are two very different approaches and are configured also in a very different way even though they use similar terminology. In this article I will be focusing on the first of the two methods, traffic shaping.
With traffic shaping we configure the router to ensure that the bit rate of packets leaving an interface will not exceed the configured value. When the configured value is exceeded, the exceeding packets are queued in the shaping queue and forwarded on a later time. Therefore, traffic shaping can only be applied outbound.
Read the rest of this entry »
In the past days I was playing with my router at home! I got from eBay a couple of new toys, an HWIC-4ESW (4 switched ports module) and an HWIC-AP-G-E (802.11 b/g for Europe module). The Idea was to get rid of any extra piece of equipment I have at home. Now that I am finally done, my setup consists of a Cisco 1841 taking care of WAN connection to my ISP, small switch for the LAN, Wireless AP for my house, firewall and several other things :D.
My goal today is to show you how to configure the router so that wireless and wired clients will belong to the same network. This is the most wanted setup in a SOHO environment. Later in, I will show more advanced configurations like hidden networks and so on. This is how it looks like:
In my previous post about SPAN and RSPAN, one of my readers posted a comment saying that he had problems to configure an ether-channel between his CentOS server and a Cisco switch.
I don’t actually have a PC with two NICs, so I decided to do everything with VirtualBox as it’s integrated in GNS3.
Although is not my goal to describe you how to set up VirtualBox and install CentOS, I will still show you some important details to make your installation interact properly with GNS3. Read the rest of this entry »
While reviewing some switching, I passed through few pages regarding 802.1x port authentication.
What is 802.1X?
IEEE 802.1x is a standard that allows to bring security on wired and wireless networks. Before a switch will allow a port to forward traffic, the user connected at that port will need to authenticate with a radius server (authentication server). Until the user pass the authentication, the only traffic allowed trough the port is the layer 2 EAP over Lan (EAPoL). The client itself is not able to contact directly the authentication server, for this reason the switch itself will act as authenticator. Based on particular needs, a guest and a restricted VLANs can be configured. The guest VLAN will be used if the client doesn’t support 802.1x, instead the restricted VLAN if the client fails to authenticate.
Communication between client and authenticator is handled by EAPoL, instead, between authenticator and authentication server is handled via Radius. This is how a successful authentication flow appears:
In the past days I have been quite busy, I was outside Europe for a long trip, and also I spent a lot of time (and I still do) studying some technologies I’m not familiar with because of my new job. One of the books I recently finished to study is Internet Routing Architectures second edition by Sam Halabi.
This book is quite old right now, is from the early 2000, so we are talking of a book almost 13 years old . In any case, that doesn’t seem to effect the quality of this book that i have to admit is great. The book starts with a description of how Internet evolved and few chapters later finally reaches BGP. This book has only one defect in my opinion, that is separating protocol description and its implementation. The whole book in fact, is just a long description about how the protocol works in all its aspects, but no reference on how to implement the features described is done. Instead the author decided to push all the implementation part to the last two chapters. Even tough, I highly suggest this book to anyone is interested in learning how Internet works, and is definitely a big supplement for CCIE Studies as also recommended by several trainers like INE.